You know what’s the worst kind of phishing scam? The kind that you can’t simply ignore. Emails supposedly from the government, telling you to make that pending tax-related payment or risk legal action. Emails that look like your school or university sent them, asking you to pay that one tuition fee you missed. Or even a message from your boss or CEO, telling you to transfer them some money “as a favor”.

The problem with emails like this is that they’re impersonating an authority figure, whether it’s the government, your university board, or your boss at work. Those are important people, and ignoring their messages will almost certainly have serious consequences. So you’re forced to look at them, and if it seems convincing enough, you might actually fall for it.

But let’s take a look at CEO fraud. What exactly is it? Can it happen to you? And if it can, what should you do to stop it?

You’re not immune to CEO fraud

A $2.3 billion scam every year is what it is. You might be wondering, “What could possibly make companies lose that much money to a simple email scam?” But you’d be surprised how convincing CEO fraud emails can be.

In 2016, Mattel almost lost $3 million to a phishing attack when a finance executive received an email from the CEO, instructing her to send a payment to one of their vendors in China. But it was only after checking later with the CEO that she realized he’d never sent the email at all. Thankfully, the company worked with law enforcement in China and the US to get their money back a few days later, but that almost never happens with these attacks.

People tend to believe these scams won’t happen to them…until it happens to them. And that’s their biggest mistake: not preparing for CEO fraud.

Phishing scams can not only cost your organization millions of dollars, they can have a lasting impact on the reputation and credibility of your brand. You run the risk of being seen as the company that lost money to an email scam and losing the trust of your customers whose sensitive personal information you store.

Instead of scrambling to do damage control after the fact, it makes a lot more sense to secure your email channels against spear phishing scams like this one. Here are some of the best ways you can ensure that your organization doesn’t become a statistic in the FBI’s report on BEC.

How to prevent CEO fraud: 6 simple steps

  1. Educate your staff on security
    This one is absolutely critical. Members of your workforce—and especially those in finance—need to understand how Business Email Compromise works. And we don’t just mean a boring 2-hour presentation about not writing down your password on a post-it note. You need to train them on how to look out for suspicious signs that an email is fake, look out for spoofed email addresses, and abnormal requests other staff members seem to be making through email.
  2. Look out for telltale signs of spoofing
    Email scammers use all kinds of tactics to get you to comply with their requests. These can range from urgent requests/instructions to transfer money as a way to get you to act quickly and without thinking, or even asking for access to confidential information for a ’secret project’ that the higher-ups aren’t ready to share with you yet. These are serious red flags, and you need to double and triple-check before taking any action at all.
  3. Get protected with DMARC
    The easiest way to prevent a phishing scam is to never even receive the email in the first place. DMARC is an email authentication protocol that verifies emails coming from your domain before delivering them. When you enforce DMARC on your domain, any attacker impersonating someone from your own organization will be detected as an unauthorized sender, and their email will be blocked from your inbox. You don’t have to deal with spoofed emails at all.
  4. Get explicit approval for wire transfers
    This is one of the easiest and most straightforward ways to prevent money transfers to the wrong people. Before committing to any transaction, make it compulsory to seek explicit approval from the person requesting money using another channel besides email. For larger wire transfers, make it mandatory to receive verbal confirmation.
  5. Flag emails with similar extensions
    The FBI recommends that your organization creates system rules that automatically flag emails that use extensions too similar to your own. For example, if your company uses ‘123-business.com’, the system could detect and flag emails using extensions like ‘123_business.com’.
  6. Purchase similar domain names
    Attackers often use similar-looking domain names to send phishing emails. For example, if your organization has a lowercase ‘i’ in its name, they might use an uppercase ‘I’, or replace the letter ‘E’ with the number ‘3’. Doing this will help you lower your chances of someone using an extremely similar domain name to send you emails.

 

As a DMARC services provider, we get asked this question a lot: “If DMARC just uses SPF and DKIM authentication, why should we bother with DMARC? Isn’t that just unnecessary?”

On the surface it might seem to make little difference, but the reality is very different. DMARC isn’t just a combination of SPF and DKIM technologies, it’s an entirely new protocol by itself. It has several features that make it one of the most advanced email authentication standards in the world, and an absolute necessity for businesses.

But wait a minute. We’ve not answered exactly why you need DMARC. What does it offer that SPF and DKIM don’t? Well, that’s a rather long answer; too long for just one blog post. So let’s split it up and talk about SPF first. In case you’re not familiar with it, here’s a quick intro.

What is SPF?

SPF, or Sender Policy Framework, is an email authentication protocol that protects the email receiver from spoofed emails. It’s essentially a list of all IP addresses authorized to send email through your (the domain owner) channels. When the receiving server sees a message from your domain, it checks your SPF record that’s published on your DNS. If the sender’s IP is in this ‘list’, the email gets delivered. If not, the server rejects the email.

As you can see, SPF does a pretty good job keeping out a lot of unsavoury emails that could harm your device or compromise your organisation’s security systems. But SPF isn’t nearly as good as some people might think. That’s because it has some very major drawbacks. Let’s talk about some of these problems.

Limitations of SPF

SPF records don’t apply to the From address

Emails have multiple addresses to identify their sender: the From address that you normally see, and the Return Path address that’s hidden and require one or two clicks to view. With SPF enabled, the receiving email server looks at the Return Path and checks the SPF records of the domain from that address.

The problem here is that attackers can exploit this by using a fake domain in their Return Path address and a legitimate (or legitimate-looking) email address in the From section. Even if the receiver were to check the sender’s email ID, they’d see the From address first, and typically don’t bother to check the Return Path. In fact, most people aren’t even aware there is such a thing as Return Path address.

SPF can be quite easily circumvented by using this simple trick, and it leaves even domains secured with SPF largely vulnerable.

SPF records have a DNS lookup limit

SPF records contain a list of all the IP addresses authorized by the domain owner to send emails. However, they have a crucial drawback. The receiving server needs to check the record to see if the sender is authorized, and to reduce the load on the server, SPF records have a limit of 10 DNS lookups.

This means that if your organization uses multiple third party vendors who send emails through your domain, the SPF record can end up overshooting that limit. Unless properly optimized (which isn’t easy to do yourself), SPF records will have a very restrictive limit. When you exceed this limit, the SPF implementation is considered invalid and your email fails SPF. This could potentially harm your email delivery rates.

 

SPF doesn’t always work when the email is forwarded

SPF has another critical failure point that can harm your email deliverability. When you’ve implemented SPF on your domain and someone forwards your email, the forwarded email can get rejected due to your SPF policy.

That’s because the forwarded message has changed the email’s recipient, but the email sender’s address stays the same. This becomes a problem because the message contains the original sender’s From address but the receiving server is seeing a different IP. The IP address of the forwarding email server isn’t included within the SPF record of original sender’s domain. This could result in the email being rejected by the receiving server.

How does DMARC solve these issues?

DMARC uses a combination of SPF and DKIM to authenticate email. An email needs to pass either SPF or DKIM to pass DMARC and be delivered successfully. And it also adds one key feature that makes it far more effective than SPF or DKIM alone: Reporting.

With DMARC reporting, you get daily feedback on the status of your email channels. This includes information about your DMARC alignment, data on emails that failed authentication, and details about potential spoofing attempts.

If you’re wondering about what you can do to not get spoofed, check out our handy guide on the top 5 ways to avoid email spoofing.

When it comes to cybercrime and security threats, Business Email Compromise (BEC) is the big daddy of email fraud. It’s the type of attack most organizations are the least prepared for, and one they’re most likely to get hit by. Over the past 3 years, BEC has cost organizations over $26 billion. And it can be shockingly easy to execute.

BEC attacks involve the attacker impersonating a higher-up executive at the organization, sending emails to a newly hired employee, often in the financial department. They request fund transfers or payments of fake invoices, which if executed well enough, can convince a less experienced employee to initiate the transaction.

You can see why BEC is such a huge problem among major organizations. It’s difficult to monitor the activities of all your employees, and the less experienced ones are more prone to falling for an email that seems to be coming from their boss or CFO. When organizations asked us what’s the most dangerous cyberattack they needed to watch out for, our answer was always BEC.

That is, until Silent Starling.

Organized Cybercrime Syndicate

The so-called Silent Starling is a group of Nigerian cybercriminals with a history in scams and fraud going as far back as 2015. In July 2019, they engaged with a major organization, impersonating the CEO of one of their business partners. The email asked for a sudden, last minute change in bank details, requesting an urgent wire transfer.

Thankfully, they discovered the email was fake before any transaction occurred, but in the ensuing investigation, the disturbing details of the group’s methods came to light.

In what’s now being called Vendor Email Compromise (VEC), the attackers launch a significantly more elaborate and organized attack than typically happens in conventional BEC. The attack has 3 separate, intricately planned-out phases that seem to require a lot more effort than what most BEC attacks usually require. Here’s how it works.

VEC: How to Defraud a Company in 3 Steps

Step 1: Breaking in

The attackers first gain access to the email account of one or more individuals at the organization. This is a carefully orchestrated process: they find out which companies lack DMARC-authenticated domains. These are easy targets to spoof. Attackers gain access by sending employees a phishing email that looks like a login page and steal their login credentials. Now they have complete access to the inner workings of the organization.

Step 2: Collecting information

This second step is like a stakeout phase. The criminals can now read confidential emails, and use this to keep an eye out for employees involved in processing payments and transactions. The attackers identify the target organization’s biggest business partners and vendors. They gather information about the inner workings of the organization — things like billing practices, payment terms, and even what official documents and invoices look like.

Step 3: Taking action

With all this intelligence collected, the scammers create an extremely realistic email and wait for the right opportunity to send it (usually just before a transaction is about to take place). The email is targeted at the right person at the right time, and is coming through a genuine company account, which makes it next to impossible to identify.

By perfectly coordinating these 3 steps, Silent Starling were able to compromise their target organization’s security systems and nearly managed to steal tens of thousands of dollars. They were among the first to try such an elaborate cyberattack, and unfortunately, they’ll certainly not be the last.

I Don’t Want to Be a Victim of VEC. What Do I Do?

The really scary thing about VEC is that even if you’ve managed to discover it before the scammers could steal any money, it does not mean no damage has been done. The attackers still managed to get complete access to your email accounts and internal communications, and were able to get a detailed understanding of how your company’s finances, billing systems and other internal processes work. Information, especially sensitive information like this, leaves your organization completely exposed, and the attacker could always attempt another scam.

So what can you do about it? How are you supposed to prevent a VEC attack from happening to you?

1. Protect your email channels

One of the most effective ways to stop email fraud is to not even let the attackers begin Step 1 of the VEC process. You can stop cybercriminals from gaining initial access by simply blocking the phishing emails they use to steal your login credentials.

The PowerDMARC platform lets you use DMARC authentication to stop attackers from impersonating your brand and sending phishing emails to your own employees or business partners. It shows you everything going on in your email channels, and instantly alerts you when something goes wrong.

2. Educate your staff

One of the biggest mistakes even larger organizations make is not investing a little more time and effort to educate their workforce with a background knowledge on common online scams, how they work, and what to look out for.

It can be very difficult to tell the difference between a real email and a well-crafted fake one, but there are often many tell-tale signs that even someone not highly trained in cybersecurity could identify.

3. Establish policies for business over email

A lot of companies just take email for granted, without really thinking about the inherent risks in an open, unmoderated communication channel. Instead of trusting each correspondence implicitly, act with the assumption that the person on the other end isn’t who they claim to be.

If you need to complete any transaction or share confidential information with them, you can use a secondary verification process. This could be anything from calling the partner to confirm, or have another person authorize the transaction.

Attackers are always finding new ways to compromise business email channels. You can’t afford to be unprepared.

 

For a lot of people, it’s not immediately clear what DMARC does or how it prevents domain spoofing, impersonation and fraud. This can lead to serious misconceptions about DMARC, how email authentication works, and why it’s good for you. But how do you know what’s right and what’s wrong? And how can you be sure you’re implementing it correctly? 

PowerDMARC is here to the rescue! To help you understand DMARC better, we’ve compiled this list of the top 6 most common misconceptions about DMARC.

1. DMARC is the same as a spam filter

This is one of the most common things people get wrong about DMARC. Spam filters block incoming email that are delivered to your inbox. These can be suspicious emails sent from anyone’s domain, not just yours. DMARC, on the other hand, tells receiving email servers how to handle outgoing email sent from your domain. Spam filters like Microsoft Office 365 ATP don’t protect against such cyberattacks. If your domain is DMARC-enforced and the email fails authentication, the receiving server rejects it.

2. Once you set up DMARC, your email is safe forever

DMARC is one of the most advanced email authentication protocols out there, but that doesn’t mean it’s completely self-sufficient. You need to regularly monitor your DMARC reports to make sure emails from authorized sources are not being rejected. Even more importantly, you need to check for unauthorized senders abusing your domain. When you see an IP address making repeated attempts to spoof your email, you need to take action immediately and have them blacklisted or taken down.

3. DMARC will reduce my email deliverability

When you set up DMARC, it’s important to first set your policy to p=none. This means that all your emails still get delivered, but you’ll receive DMARC reports on whether they passed or failed authentication. If during this monitoring period you see your own emails failing DMARC, you can take action to solve the issues. Once all your authorized emails are getting validated correctly, you can enforce DMARC with a policy of p=quarantine or p=reject.

4. I don’t need to enforce DMARC (p=none is enough)

When you set up DMARC without enforcing it (policy of p=none), all emails from your domain—including those that fail DMARC—get delivered. You’ll be receiving DMARC reports but not protecting your domain from any spoofing attempts. After the initial monitoring period (explained above), it’s absolutely necessary to set your policy to p=quarantine or p=reject and enforce DMARC.

5. Only big brands need DMARC

Many smaller organizations believe that it’s only the biggest, most recognizable brands that need DMARC protection. In reality, cybercriminals will use any business domains to launch a spoofing attack. Many smaller businesses typically don’t have dedicated cybersecurity teams, which makes it even easier for attackers to target small and medium-size organizations. Remember, every organization that has a domain name needs DMARC protection!

6. DMARC Reports are easy to read

We see many organizations implementing DMARC and having the reports sent to their own email inboxes. The problem with this is that DMARC reports come in an XML file format, which can be very difficult to read if you’re not familiar with it. Using a dedicated DMARC platform can not only make your setup process much easier, but PowerDMARC can convert your complex XML files into easy to read reports with graphs, charts and in-depth stats.

 

New Zealand’s top 200 companies and government departments are facing serious DMARC compliance issues, putting them at 36th spot worldwide.

In recent years, many major countries around the world have begun to recognize the importance of email security to prevent phishing attacks. In this climate of rapid change in cybersecurity practices, New Zealand has been lagging behind its peers in its levels of awareness and response to global security trends.

We conducted a study of 332 domains of organizations both in the public and private sectors. Among the domains we surveyed were:

  • Deloitte Top 200 List (2019)
  • New Zealand’s top energy companies
  • Top telecom companies
  • NZ registered banks
  • The New Zealand Government (excluding Crown entities).

By studying their public DNS records and gathering data on their SPF and DMARC statuses, we were able to gather data on how well-protected major New Zealand organizations are against spoofing. You can download our study to find out the details behind these numbers:

  • Only 37 domains, or 11%, had enforced DMARC at a level of quarantine or reject, which is required to stop domain spoofing.
  • Less than 30% of Government domains had implemented DMARC correctly at any level.
  • 14% of organizations observed had invalid SPF records and 4% had invalid DMARC records — many of them had errors in their records, and some even had multiple SPF and DMARC records for the same domain.

Our full study contains an in-depth exploration of the biggest hurdles New Zealand companies face in effectively implementing DMARC.

 

One of the easiest ways to put yourself at risk of losing your data is to use email. No, seriously — the sheer number of businesses that face data breaches or get hacked because of an email phishing scam is staggering. So why do we still use email, then? Why not just use a more secure mode of communication that does the same job, only with better security?

It’s simple: email is incredibly convenient and everyone uses it. Pretty much every organization out there uses email either for communication or marketing. Email is integral to how business works. But the biggest flaw of email is something that’s unavoidable: it requires humans to interact with it. When people open emails, they read the contents, click on links, or even enter personal information. And because we don’t have the time or ability to carefully scrutinize every email, there’s a chance that one of them ends up being a phishing attack.

Attackers impersonate well-known, trusted brands to send emails to unsuspecting individuals. This is called domain spoofing. The recipients believe the messages to be genuine and click on malicious links or enter their login information, putting themselves at the attacker’s mercy. As long as these phishing emails continue entering people’s inboxes, email won’t be totally safe to use.

How Does DMARC Make Email Secure?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol designed to combat domain spoofing. It uses two existing security protocols—SPF and DKIM—to protect users from receiving fraudulent email. When an organization sends email through their domain, the receiving email server checks their DNS for a DMARC record. The server then validates the email against SPF and DKIM. If the email successfully authenticates, it gets delivered to the destination inbox.

 

 Look up and generate records for DMARC, SPF, DKIM and more with Power Toolbox for free!

 

Only authorized senders are validated through SPF and DKIM, which means if someone tried to spoof their domain, the email would fail DMARC authentication. If that happens, the DMARC policy set by the domain owner tells the receiving server how to handle the email.

What is a DMARC Policy?

When implementing DMARC, the domain owner can set their DMARC policy, which tells the receiving email server what to do with an email that fails DMARC. There are 3 policies:

  • p=none
  • p=quarantine
  • p = reject

If your DMARC policy is set to none, even emails that don’t pass DMARC get delivered to the inbox. This is almost like not having a DMARC implementation at all. Your policy should only be set to none when you’re just setting up DMARC and want to monitor the activity in your domain.

Setting your DMARC policy to quarantine sends the email to the spam folder, while reject outright blocks the email from the receiver’s inbox. You need to have your DMARC policy set to either p=quarantine or p=reject in order to have full enforcement. Without enforcing DMARC, users receiving your emails will still receive emails from unauthorized senders spoofing your domain.

But all of this raises an important question. Why doesn’t everyone just use SPF and DKIM to verify their emails? Why bother with DMARC at all? The answer to that is…

DMARC Reporting

If there’s one key shortcoming of SPF and DKIM, it’s that they don’t give you feedback on how emails are being processed. When an email from your domain fails SPF or DKIM, there’s really no way to tell, and no way to fix the issue. If someone’s trying to spoof your domain, you wouldn’t even know about it.

That’s what makes DMARC’s reporting feature such a game-changer. DMARC generates weekly Aggregate Reports to the owner’s specified email address. These reports contain detailed information about which emails failed authentication, which IP addresses they were sent from, and lots more useful, actionable data. Having all this information can help the domain owner see which emails are failing to authenticate and why, and even identify spoofing attempts.

So far, it’s pretty clear that DMARC benefits email recipients by protecting them from unauthorized phishing emails. But it’s the domain owners that are implementing it. What advantage do organizations get when they deploy DMARC?

DMARC For Brand Safety

Although DMARC wasn’t created with this purpose, there’s one major advantage organizations stand to gain by implementing it: brand protection. When an attacker impersonates a brand to send malicious emails, they’re effectively co-opting the brand’s popularity and goodwill to peddle a scam. In a survey conducted by the IBID Group, 83% of customers said that they’re concerned about purchasing from a company that was previously breached.

The intangible elements of a transaction can often be as powerful as any hard data. Consumers put a lot of trust in the organizations they buy from, and if these brands become the face of a phishing scam, they stand to lose not only the customers who got phished, but many others who heard about it in the news. Brand safety is fragile, and must be guarded for the sake of the business and the customer.

 

There’s more to brand safety than just DMARC. BIMI lets users see your logo next to their emails! Check it out:

 

DMARC enables brands to take back control of who gets to send emails through their domain. By shutting out unauthorized senders from exploiting them, organizations can ensure only safe, legitimate emails go out to the public. This not only boosts their domain’s reputation with email providers, but it also goes a long way in ensuring a relationship built on trust and reliability between the brand and consumers.

DMARC: Making Email Safe for Everyone

DMARC’s purpose has always been greater than helping brands safeguard their domains. When everyone adopts DMARC, it creates an entire email ecosystem inoculated against phishing attacks. It works exactly like a vaccine — the more people that enforce the standard, the smaller the chances of everyone else falling prey to fake emails. With each domain that gets DMARC-protected, email as a whole becomes that much safer.

By making email safe for ourselves, we can help everyone else use it more freely. And we think that’s a standard worth upholding.